security-tools/atomic-red-team
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generated docs from job=generate-docs branch=master [ci skip]

Browse Source
This commit is contained in:
Atomic Red Team doc generator
2023-06-10 05:19:16 +00:00
parent 65c5514899
commit d8c164d3e6
4 changed files with 682 additions and 58 deletions
Download Patch File Download Diff File Expand all files Collapse all files
atomics/Indexes/index.yaml
+221 -18
View File
@@ -4580,10 +4580,33 @@ defense-evasion:
supported_platforms:
- macos
- linux
input_arguments:
syslog_path:
description: path of syslog file to delete. On macos it's /var/log/system.log*,
on linux, it's /var/log/syslog*. Also note for File events, that on macos,
/var/ is a link to /private/var/.
type: string
default: "/var/log/system.log"
macos_audit_path:
description: path of audit file to delete
type: string
default: "/var/audit/20220725213300.202208110700021"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi
&& stat #{syslog_path}
'
get_prereq_command: |
touch #{syslog_path}
if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
executor:
command: |
sudo rm -rf /private/var/log/system.log*
sudo rm -rf /private/var/audit/*
sudo rm -rf #{syslog_path}
if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
name: sh
elevation_required: true
- name: Delete log files using built-in log utility
@@ -4598,7 +4621,6 @@ defense-evasion:
command: |
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
name: sh
elevation_required: true
- name: Truncate system log files via truncate utility
@@ -4610,9 +4632,25 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path of system log to delete.
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: "sudo truncate -s 0 /var/log/system.log #size parameter shorthand\nsudo
truncate --size=0 /var/log/system.log #size parameter \n"
command: "sudo truncate -s 0 #{system_log_path} #size parameter shorthand\nsudo
truncate --size=0 #{system_log_path} #size parameter \n"
name: sh
elevation_required: true
- name: Delete log files via cat utility by appending /dev/null or /dev/zero
@@ -4624,10 +4662,26 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path of system log to delete.
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: |
sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
name: sh
elevation_required: true
- name: System log file deletion via find utility
@@ -4638,11 +4692,37 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_name1:
description: name or prefix of system log to delete.
type: string
default: system.log
system_log_name2:
description: name or prefix of system log to delete.
type: string
default: system.log.97.gz
system_log_name3:
description: name or prefix of system log to delete.
type: string
default: system.log.98.gz
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat /var/log/#{system_log_name1} /var/log/#{system_log_name2}
/var/log/#{system_log_name3}
'
get_prereq_command: 'touch /var/log/#{system_log_name1} /var/log/#{system_log_name2}
/var/log/#{system_log_name3}
'
executor:
command: |
sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution
name: sh
elevation_required: true
- name: Overwrite macOS system log via echo utility
@@ -4653,8 +4733,13 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
executor:
command: 'sudo echo '''' > /var/log/system.log
command: 'sudo echo '''' > #{system_log_path}
'
name: sh
@@ -4680,8 +4765,24 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'sudo unlink /var/log/system.log
command: 'sudo unlink #{system_log_path}
'
name: sh
@@ -4694,8 +4795,24 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'sudo shred -u -z -n 3 /var/log/system.log
command: 'sudo shred -u -z -n 3 #{system_log_path}
'
name: sh
@@ -4708,10 +4825,31 @@ defense-evasion:
Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
system_log_folder:
description: path to log parent folder
type: string
default: "/var/log/"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path} #{system_log_folder}
'
get_prereq_command: 'mkdir -p #{system_log_folder} && touch #{system_log_path}
#{system_log_folder}/system.log
'
executor:
command: |
sudo srm /var/log/system.log #system log file deletion
sudo srm -r /var/log/ #recursive deletion of log files
sudo srm #{system_log_path} #system log file deletion
sudo srm -r #{system_log_folder} #recursive deletion of log files
name: sh
elevation_required: true
- name: Delete system log files using OSAScript
@@ -4723,8 +4861,24 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'osascript -e ''do shell script "rm /var/log/system.log" with administrator
command: 'osascript -e ''do shell script "rm #{system_log_path}" with administrator
privileges''
'
@@ -4738,8 +4892,24 @@ defense-evasion:
Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'osascript -e ''tell application "Finder" to delete POSIX file "/var/log/system.log"''
command: 'osascript -e ''tell application "Finder" to delete POSIX file "#{system_log_path}"''
'
name: sh
@@ -4753,9 +4923,25 @@ defense-evasion:
'
supported_platforms:
- linux
input_arguments:
journal_folder:
description: path to journal logs
type: string
default: "/var/log/journal"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{journal_folder}
'
get_prereq_command: 'mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
'
executor:
command: |
sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
name: sh
elevation_required: true
@@ -4773,7 +4959,19 @@ defense-evasion:
description: Username of mail spool
type: string
default: root
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat /var/spool/mail/#{username}
'
get_prereq_command: 'touch /var/spool/mail/#{username}
'
executor:
elevation_required: true
command: 'echo 0> /var/spool/mail/#{username}
'
@@ -4796,6 +4994,11 @@ defense-evasion:
'
name: bash
elevation_required: true
cleanup_command: 'if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path}
; fi
'
T1218.004:
technique:
x_mitre_platforms:
atomics/Indexes/linux-index.yaml
+59 -3
View File
@@ -3310,10 +3310,33 @@ defense-evasion:
supported_platforms:
- macos
- linux
input_arguments:
syslog_path:
description: path of syslog file to delete. On macos it's /var/log/system.log*,
on linux, it's /var/log/syslog*. Also note for File events, that on macos,
/var/ is a link to /private/var/.
type: string
default: "/var/log/system.log"
macos_audit_path:
description: path of audit file to delete
type: string
default: "/var/audit/20220725213300.202208110700021"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi
&& stat #{syslog_path}
'
get_prereq_command: |
touch #{syslog_path}
if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
executor:
command: |
sudo rm -rf /private/var/log/system.log*
sudo rm -rf /private/var/audit/*
sudo rm -rf #{syslog_path}
if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
name: sh
elevation_required: true
- name: Delete system journal logs via rm and journalctl utilities
@@ -3325,9 +3348,25 @@ defense-evasion:
'
supported_platforms:
- linux
input_arguments:
journal_folder:
description: path to journal logs
type: string
default: "/var/log/journal"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{journal_folder}
'
get_prereq_command: 'mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
'
executor:
command: |
sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
name: sh
elevation_required: true
@@ -3345,7 +3384,19 @@ defense-evasion:
description: Username of mail spool
type: string
default: root
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat /var/spool/mail/#{username}
'
get_prereq_command: 'touch /var/spool/mail/#{username}
'
executor:
elevation_required: true
command: 'echo 0> /var/spool/mail/#{username}
'
@@ -3368,6 +3419,11 @@ defense-evasion:
'
name: bash
elevation_required: true
cleanup_command: 'if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path}
; fi
'
T1218.004:
technique:
x_mitre_platforms:
atomics/Indexes/macos-index.yaml
+187 -17
View File
@@ -3041,10 +3041,33 @@ defense-evasion:
supported_platforms:
- macos
- linux
input_arguments:
syslog_path:
description: path of syslog file to delete. On macos it's /var/log/system.log*,
on linux, it's /var/log/syslog*. Also note for File events, that on macos,
/var/ is a link to /private/var/.
type: string
default: "/var/log/system.log"
macos_audit_path:
description: path of audit file to delete
type: string
default: "/var/audit/20220725213300.202208110700021"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi
&& stat #{syslog_path}
'
get_prereq_command: |
touch #{syslog_path}
if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
executor:
command: |
sudo rm -rf /private/var/log/system.log*
sudo rm -rf /private/var/audit/*
sudo rm -rf #{syslog_path}
if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
name: sh
elevation_required: true
- name: Delete log files using built-in log utility
@@ -3059,7 +3082,6 @@ defense-evasion:
command: |
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
name: sh
elevation_required: true
- name: Truncate system log files via truncate utility
@@ -3071,9 +3093,25 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path of system log to delete.
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: "sudo truncate -s 0 /var/log/system.log #size parameter shorthand\nsudo
truncate --size=0 /var/log/system.log #size parameter \n"
command: "sudo truncate -s 0 #{system_log_path} #size parameter shorthand\nsudo
truncate --size=0 #{system_log_path} #size parameter \n"
name: sh
elevation_required: true
- name: Delete log files via cat utility by appending /dev/null or /dev/zero
@@ -3085,10 +3123,26 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path of system log to delete.
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: |
sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
name: sh
elevation_required: true
- name: System log file deletion via find utility
@@ -3099,11 +3153,37 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_name1:
description: name or prefix of system log to delete.
type: string
default: system.log
system_log_name2:
description: name or prefix of system log to delete.
type: string
default: system.log.97.gz
system_log_name3:
description: name or prefix of system log to delete.
type: string
default: system.log.98.gz
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat /var/log/#{system_log_name1} /var/log/#{system_log_name2}
/var/log/#{system_log_name3}
'
get_prereq_command: 'touch /var/log/#{system_log_name1} /var/log/#{system_log_name2}
/var/log/#{system_log_name3}
'
executor:
command: |
sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution
name: sh
elevation_required: true
- name: Overwrite macOS system log via echo utility
@@ -3114,8 +3194,13 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
executor:
command: 'sudo echo '''' > /var/log/system.log
command: 'sudo echo '''' > #{system_log_path}
'
name: sh
@@ -3141,8 +3226,24 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'sudo unlink /var/log/system.log
command: 'sudo unlink #{system_log_path}
'
name: sh
@@ -3155,8 +3256,24 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'sudo shred -u -z -n 3 /var/log/system.log
command: 'sudo shred -u -z -n 3 #{system_log_path}
'
name: sh
@@ -3169,10 +3286,31 @@ defense-evasion:
Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
system_log_folder:
description: path to log parent folder
type: string
default: "/var/log/"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path} #{system_log_folder}
'
get_prereq_command: 'mkdir -p #{system_log_folder} && touch #{system_log_path}
#{system_log_folder}/system.log
'
executor:
command: |
sudo srm /var/log/system.log #system log file deletion
sudo srm -r /var/log/ #recursive deletion of log files
sudo srm #{system_log_path} #system log file deletion
sudo srm -r #{system_log_folder} #recursive deletion of log files
name: sh
elevation_required: true
- name: Delete system log files using OSAScript
@@ -3184,8 +3322,24 @@ defense-evasion:
'
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'osascript -e ''do shell script "rm /var/log/system.log" with administrator
command: 'osascript -e ''do shell script "rm #{system_log_path}" with administrator
privileges''
'
@@ -3199,8 +3353,24 @@ defense-evasion:
Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
supported_platforms:
- macos
input_arguments:
system_log_path:
description: path to system.log
type: string
default: "/var/log/system.log"
dependency_executor_name: sh
dependencies:
- description: 'target files must exist
'
prereq_command: 'stat #{system_log_path}
'
get_prereq_command: 'touch #{system_log_path}
'
executor:
command: 'osascript -e ''tell application "Finder" to delete POSIX file "/var/log/system.log"''
command: 'osascript -e ''tell application "Finder" to delete POSIX file "#{system_log_path}"''
'
name: sh
atomics/T1070.002/T1070.002.md
+215 -20
View File
@@ -58,18 +58,37 @@ Delete system and audit logs
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| syslog_path | path of syslog file to delete. On macos it's /var/log/system.log*, on linux, it's /var/log/syslog*. Also note for File events, that on macos, /var/ is a link to /private/var/. | string | /var/log/system.log|
| macos_audit_path | path of audit file to delete | string | /var/audit/20220725213300.202208110700021|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo rm -rf /private/var/log/system.log*
sudo rm -rf /private/var/audit/*
sudo rm -rf #{syslog_path}
if [ -d /var/audit ] ; then sudo rm -rf #{macos_audit_path} ; fi
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
if [ -d /var/audit ] ; then stat #{macos_audit_path} ; fi && stat #{syslog_path}
```
##### Get Prereq Commands:
```sh
touch #{syslog_path}
if [ -d /var/audit ] ; then touch #{macos_audit_path} ; fi
```
<br/>
@@ -94,7 +113,6 @@ This test deletes main log datastore, inflight log data, time-to-live data(TTL),
```sh
sudo log erase --all
sudo log erase --ttl #Deletes only time-to-live log content
sudo log erase --predicate 'subsystem == "com.apple.appstore"' #Deletes all logs related to the App Store, useful for clearing specific entries of the system log
```
@@ -117,18 +135,35 @@ This test truncates the system log files using the truncate utility with (-s 0 o
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path of system log to delete. | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo truncate -s 0 /var/log/system.log #size parameter shorthand
sudo truncate --size=0 /var/log/system.log #size parameter
sudo truncate -s 0 #{system_log_path} #size parameter shorthand
sudo truncate --size=0 #{system_log_path} #size parameter
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat #{system_log_path}
```
##### Get Prereq Commands:
```sh
touch #{system_log_path}
```
<br/>
@@ -146,18 +181,35 @@ The first sub-test truncates the log file to zero bytes via /dev/null and the se
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path of system log to delete. | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo cat /dev/null > /var/log/system.log #truncating the file to zero bytes
sudo cat /dev/zero > /var/lol/system.log #log file filled with null bytes(zeros)
sudo cat /dev/null > #{system_log_path} #truncating the file to zero bytes
sudo dd if=/dev/zero bs=1000 count=5 of=#{system_log_path} #log file filled with null bytes(zeros)
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat #{system_log_path}
```
##### Get Prereq Commands:
```sh
touch #{system_log_path}
```
<br/>
@@ -175,19 +227,38 @@ This test finds and deletes the system log files within /var/log/ directory usin
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_name1 | name or prefix of system log to delete. | string | system.log|
| system_log_name2 | name or prefix of system log to delete. | string | system.log.97.gz|
| system_log_name3 | name or prefix of system log to delete. | string | system.log.98.gz|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo find /var/log -name 'system.log.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "system.log.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "system.log.*" -exec unlink {} \; #using "unlink" execution
sudo find /var/log -name '#{system_log_name1}.*' -exec rm {} \; #using "rm" execution
sudo find /var/log/ -name "#{system_log_name2}.*" -exec shred -u -z -n 3 {} \; #using "shred" execution
sudo find /var/log/ -name "#{system_log_name3}.*" -exec unlink {} \; #using "unlink" execution
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}
```
##### Get Prereq Commands:
```sh
touch /var/log/#{system_log_name1} /var/log/#{system_log_name2} /var/log/#{system_log_name3}
```
<br/>
@@ -205,12 +276,17 @@ This test overwrites the contents of system log file with an empty string using
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo echo '' > /var/log/system.log
sudo echo '' > #{system_log_path}
```
@@ -261,17 +337,34 @@ This test deletes the system log file using unlink utility
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo unlink /var/log/system.log
sudo unlink #{system_log_path}
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat #{system_log_path}
```
##### Get Prereq Commands:
```sh
touch #{system_log_path}
```
<br/>
@@ -289,17 +382,34 @@ This test overwrites the contents of the log file with zero bytes(-z) using thre
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo shred -u -z -n 3 /var/log/system.log
sudo shred -u -z -n 3 #{system_log_path}
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat #{system_log_path}
```
##### Get Prereq Commands:
```sh
touch #{system_log_path}
```
<br/>
@@ -319,18 +429,36 @@ Refer: https://github.com/khell/homebrew-srm/issues/1 for installation
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
| system_log_folder | path to log parent folder | string | /var/log/|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo srm /var/log/system.log #system log file deletion
sudo srm -r /var/log/ #recursive deletion of log files
sudo srm #{system_log_path} #system log file deletion
sudo srm -r #{system_log_folder} #recursive deletion of log files
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat #{system_log_path} #{system_log_folder}
```
##### Get Prereq Commands:
```sh
mkdir -p #{system_log_folder} && touch #{system_log_path} #{system_log_folder}/system.log
```
<br/>
@@ -348,17 +476,34 @@ This test deletes the system log file using osascript via "do shell script"(sh/b
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
osascript -e 'do shell script "rm /var/log/system.log" with administrator privileges'
osascript -e 'do shell script "rm #{system_log_path}" with administrator privileges'
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat #{system_log_path}
```
##### Get Prereq Commands:
```sh
touch #{system_log_path}
```
<br/>
@@ -378,17 +523,34 @@ Refer: https://www.rainforestqa.com/blog/macos-tcc-db-deep-dive
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| system_log_path | path to system.log | string | /var/log/system.log|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
osascript -e 'tell application "Finder" to delete POSIX file "/var/log/system.log"'
osascript -e 'tell application "Finder" to delete POSIX file "#{system_log_path}"'
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat #{system_log_path}
```
##### Get Prereq Commands:
```sh
touch #{system_log_path}
```
<br/>
@@ -406,18 +568,35 @@ The first sub-test deletes the journal files using rm utility in the "/var/log/j
#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| journal_folder | path to journal logs | string | /var/log/journal|
#### Attack Commands: Run with `sh`! Elevation Required (e.g. root or admin)
```sh
sudo rm /var/log/journal/* #physically deletes the journal files, and not just their content
sudo rm #{journal_folder}/* #physically deletes the journal files, and not just their content
sudo journalctl --vacuum-time=0 #clears the journal while still keeping the journal files in place
```
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat #{journal_folder}
```
##### Get Prereq Commands:
```sh
mkdir -p #{journal_folder} && touch #{journal_folder}/T1070_002.journal
```
<br/>
@@ -441,7 +620,7 @@ This test overwrites the Linux mail spool of a specified user. This technique wa
| username | Username of mail spool | string | root|
#### Attack Commands: Run with `bash`!
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
@@ -451,6 +630,18 @@ echo 0> /var/spool/mail/#{username}
#### Dependencies: Run with `sh`!
##### Description: target files must exist
##### Check Prereq Commands:
```sh
stat /var/spool/mail/#{username}
```
##### Get Prereq Commands:
```sh
touch /var/spool/mail/#{username}
```
<br/>
@@ -474,13 +665,17 @@ This test overwrites the specified log. This technique was used by threat actor
| log_path | Path of specified log | path | /var/log/secure|
#### Attack Commands: Run with `bash`!
#### Attack Commands: Run with `bash`! Elevation Required (e.g. root or admin)
```bash
echo 0> #{log_path}
```
#### Cleanup Commands:
```bash
if [ "/var/log/secure" != "#{log_path}" ] ; then rm -f #{log_path} ; fi
```